A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
10/13/2000 04:35p 5.0.3210.1300 459,536 Wininet.dll
This hotfix provides a registry parameter that you can use to increase the Kerberos token size. For example, increasing the token to 65 KB will allow a user to be present in more than 900 groups. Due to the associated security identifier (SID) information, this number may vary.
Perform the following in order to set this parameter:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following registry setting:System\\CurrentControlSet\\Control\\Lsa\\Kerberos\Parameters
- On the Edit menu, click Add Value, and then add the following registry value:Value name: MaxTokenSize
Data type: REG_DWORD
Value data: 65535
- Quit Registry Editor.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Steps to Reproduce Behavior
- Create a Windows NT account.
- Make sure that Active Directory is installed and Integrated Authentication is configured.
- Add the account to approximately 100 different groups.
- Create a second account and add it to three of the groups.
CreateGroup.vbs from the resource kit is a viable method for doing so.
creategroup LDAP: DC=Domain,DC=Org,DC=Company,DC=com GroupName1
Article ID: 277741 - Last Review: Jul 9, 2008 - Revision: 1